Systems and methods for focused learning of application structure and ztna policy generation

ABSTRACT

Systems, devices, and methods are discussed for determining zero trust network access policy from a policy from a perspective focused on one or more network elements.

COPYRIGHT NOTICE

Contained herein is material that is subject to copyright protection.The copyright owner has no objection to the facsimile reproduction ofthe patent disclosure by any person as it appears in the Patent andTrademark Office patent files or records, but otherwise reserves allrights to the copyright whatsoever. Copyright © 2021, Fortinet, Inc.

FIELD

Embodiments discussed generally relate to securing network environments,and more particularly to systems and methods for determining zero trustnetwork access policy from a perspective focused on one or more networkelements.

BACKGROUND

It is not uncommon for network environments to support hundreds ofapplications that all need to be secured. In some approaches, anoperator is tasked with identifying allowed workloads, and manuallymodifying one or more firewalls with rules that allow identifiedworkloads and disallow unidentified workloads. Then, the operator mustforward test the implemented rules. This can become time consuming andis often subject to error due to the complexity of workloads and theimpact of security measures on other applications in the networkenvironment.

Thus, there exists a need in the art for more advanced approaches,devices and systems for developing and implementing security measures ina network environment.

SUMMARY

Various embodiments provide to systems and methods for determining zerotrust network access policy from a perspective focused on one or morenetwork elements.

This summary provides only a general outline of some embodiments. Manyother objects, features, advantages and other embodiments will becomemore fully apparent from the following detailed description, theappended claims and the accompanying drawings and figures.

BRIEF DESCRIPTION OF THE DRAWINGS

A further understanding of the various embodiments may be realized byreference to the figures which are described in remaining portions ofthe specification. In the figures, similar reference numerals are usedthroughout several drawings to refer to similar components. In someinstances, a sub-label consisting of a lower-case letter is associatedwith a reference numeral to denote one of multiple similar components.When reference is made to a reference numeral without specification toan existing sub-label, it is intended to refer to all such multiplesimilar components.

FIGS. 1A-1D illustrate a network architecture including a securityorchestration system in accordance with some embodiments;

FIG. 2 is a flow diagram showing a method in accordance with variousembodiments for performing forward testing at an application levelgranularity;

FIG. 3 is a graphical representation of an example access control listdesigned for zero trust network access in a network environment with asingle application;

FIGS. 4A-4F graphically represent generation of an access control listusing forward testing at an application granularity and providing zerotrust network access for a network environment running threeapplications in accordance with some embodiments;

FIG. 5 is a flow diagram showing a method in accordance with variousembodiments for forward testing an access control list on an applicationgranularity;

FIGS. 6A-6B are flow diagrams showing a method in accordance with someembodiments for developing a zero trust network access from theperspective of one or more identified network elements;

FIG. 7 is a flow diagram showing a method in accordance with one or moreembodiments for developing a zero trust network access for specificallyidentified network elements;

FIGS. 8A-8C show example workloads and corresponding access controllists that may be identified and formed in accordance with variousembodiments; and

FIG. 9 is a flow diagram showing a method in accordance with variousembodiments for developing a resilient zero trust network access policybased upon intent defined groups of workloads; and

FIGS. 10A-10B graphically depict access control lists having multi-portaccess control rules in accordance with some embodiments.

DETAILED DESCRIPTION

Various embodiments provide to systems and methods for determining zerotrust network access policy from a perspective focused on one or morenetwork elements.

An example enterprise network may have hundreds of applications, andeach of the hundreds of applications may consist of severalinterconnected tiers having workloads communicating between each other.Such workloads utilize common network infrastructure including, but notlimited to, domain name system (DNS), dynamic host configurationprotocol (DHCP), network time protocol (NTP), the internet, and/ormanagement software (e.g., performance and/or health monitoringsoftware. At the same time groups of clients (e.g., administrators,developers, testers, or the like) may desire access to theaforementioned workloads to perform their various tasks. In addition,network scanners and other administrative tools add complexity byconnecting to each asset over a range of ports. In such an environment,determining a desired zero trust network access (ZTNA) is challenging,and as workloads and clients continue become more dynamic, thecomplexity of determining desired security parameters and implementingthose security parameters in one or more network appliances becomesprogressively more complex. As just one example, in the past theprocesses related to determining and setting firewall rules could bedone manually, however, to the extent such rules are still being set andmaintained manually, it is only time before complexity renders such anapproach impossible.

To address some of this complexity, approaches for automaticallydetermining and setting security parameters using some level of machinelearning and automation have been developed. U.S. Pat. No. 10,944,723entitled “Systems and Methods for Managing Endpoints and SecurityPolicies in a Networked Environment”, and issued Mar. 9, 2021 describesa variety of approaches for reducing the complexity of maintainingnetwork security at a network environment level. The entirety of theaforementioned reference is incorporated herein by reference for allpurposes. Such an approach greatly enhances the ease at which a networkenvironment may be monitored and secured.

One problem with forward testing in current network environments is thatthe testing is applied to the network, and it is difficult if notimpossible to perform testing on smaller scale elements of the network.For example, when testing an access control list (ACL) that controlswhat endpoints can speak to which network services and vice-versa,forward testing is applied to the ACL for the entire network and therebyvalidates the ACL all at once. Assume at time tin state s1 it wasdetermined that x applications and y workloads exist in a networkenvironment and the ruleset {R} was found to be steady and not changing.Of note, in a dynamic environment the assumption that the ruleset issteady is valid only between two changes. Further assume, forwardtesting has been running for a sufficient time, and the operator decidesto change to an enforcement state. Such a change in state results in achange of a default ACL rule from allow to block. At this juncture, thenetwork environment enforces the generated ZTNA policy as only trustedand identified workloads are allowed.

Now assume that at time t+1 it is found that a change to s1 (which isaltering x, y or {R}) leads to s2 and it becomes desirable to re-applyforward testing to the ACL, the forward testing would be reapplied asbefore to the entire ACL. This would involve changing the default ACLrule from block to allow while the ACL rules are being tested. Thischange removes the ZTNA enforcement from all applications in the sameACL. This change is only temporary, but while the forward testing isbeing performed the ZTNA. Further, this re-application must be repeatedfor every determined change in s. In addition, the results of thetesting may be difficult to utilize and manage as they consider allapplications in the same ACL.

It has been found that by modifying the granularity at which a networkenvironment can be secured, the impact upon administrators overseeing aprocess of securing a network can be minimized, and/or the downtime ofZTNA can be reduced. Various embodiments discussed herein provide forincreased granularity of forward testing in a network environment.

Embodiments of the present disclosure include various processes, whichwill be described below. The processes may be performed by hardwarecomponents or may be embodied in machine-executable instructions, whichmay be used to cause a general-purpose or special-purpose processorprogrammed with the instructions to perform the steps. Alternatively,processes may be performed by a combination of hardware, software,firmware and/or by human operators.

Embodiments of the present disclosure may be provided as a computerprogram product, which may include a machine-readable storage mediumtangibly embodying thereon instructions, which may be used to program acomputer (or other electronic devices) to perform a process. Themachine-readable medium may include, but is not limited to, fixed (hard)drives, magnetic tape, floppy diskettes, optical disks, compact discread-only memories (CD-ROMs), and magneto-optical disks, semiconductormemories, such as ROMs, PROMs, random access memories (RAMs),programmable read-only memories (PROMs), erasable PROMs (EPROMs),electrically erasable PROMs (EEPROMs), flash memory, magnetic or opticalcards, or other type of media/machine-readable medium suitable forstoring electronic instructions (e.g., computer programming code, suchas software or firmware).

Various methods described herein may be practiced by combining one ormore machine-readable storage media containing the code according to thepresent disclosure with appropriate standard computer hardware toexecute the code contained therein. An apparatus for practicing variousembodiments of the present disclosure may involve one or more computers(or one or more processors within a single computer) and storage systemscontaining or having network access to computer program(s) coded inaccordance with various methods described herein, and the method stepsof the disclosure could be accomplished by modules, routines,subroutines, or subparts of a computer program product.

In the following description, numerous specific details are set forth inorder to provide a thorough understanding of embodiments of the presentdisclosure. It will be apparent to one skilled in the art thatembodiments of the present disclosure may be practiced without some ofthese specific details.

Terminology

Brief definitions of terms used throughout this application are givenbelow.

The terms “connected” or “coupled” and related terms, unless clearlystated to the contrary, are used in an operational sense and are notnecessarily limited to a direct connection or coupling. Thus, forexample, two devices may be coupled directly, or via one or moreintermediary media or devices. As another example, devices may becoupled in such a way that information can be passed there between,while not sharing any physical connection with one another. Based on thedisclosure provided herein, one of ordinary skill in the art willappreciate a variety of ways in which connection or coupling exists inaccordance with the aforementioned definition.

If the specification states a component or feature “may”, “can”,“could”, or “might” be included or have a characteristic, thatparticular component or feature is not required to be included or havethe characteristic.

As used in the description herein and throughout the claims that follow,the meaning of “a,” “an,” and “the” includes plural reference unless thecontext clearly dictates otherwise. Also, as used in the descriptionherein, the meaning of “in” includes “in” and “on” unless the contextclearly dictates otherwise.

The phrases “in an embodiment,” “according to one embodiment,” and thelike generally mean the particular feature, structure, or characteristicfollowing the phrase is included in at least one embodiment of thepresent disclosure, and may be included in more than one embodiment ofthe present disclosure. Importantly, such phrases do not necessarilyrefer to the same embodiment.

As used herein, a “network appliance” or a “network device” generallyrefers to a device or appliance in virtual or physical form that isoperable to perform one or more network functions. In some cases, anetwork appliance may be a database, a network server, or the like. Somenetwork devices may be implemented as general-purpose computers orservers with appropriate software operable to perform the one or morenetwork functions. Other network devices may also include customhardware (e.g., one or more custom Application-Specific IntegratedCircuits (ASICs)). Based upon the disclosure provided herein, one ofordinary skill in the art will recognize a variety of network appliancesthat may be used in relation to different embodiments. In some cases, anetwork appliance may be a “network security appliance” or a networksecurity device” that may reside within the particular network that itis protecting or network security may be provided as a service with thenetwork security device residing in the cloud. For example, while thereare differences among network security device vendors, network securitydevices may be classified in three general performance categories,including entry-level, mid-range, and high-end network security devices.Each category may use different types and forms of central processingunits (CPUs), network processors (NPs), and content processors (CPs).NPs may be used to accelerate traffic by offloading network traffic fromthe main processor. CPs may be used for security functions, such asflow-based inspection and encryption. Entry-level network securitydevices may include a CPU and no co-processors or a system-on-a-chip(SoC) processor that combines a CPU, a CP and an NP. Mid-range networksecurity devices may include a multi-core CPU, a separate NPApplication-Specific Integrated Circuits (ASIC), and a separate CP ASIC.At the high-end, network security devices may have multiple NPs and/ormultiple CPs. A network security device is typically associated with aparticular network (e.g., a private enterprise network) on behalf ofwhich it provides the one or more security functions. Non-limitingexamples of security functions include authentication, next-generationfirewall protection, antivirus scanning, content filtering, data privacyprotection, web filtering, network traffic inspection (e.g., securesockets layer (SSL) or Transport Layer Security (TLS) inspection),intrusion prevention, intrusion detection, denial of service attack(DoS) detection and mitigation, encryption (e.g., Internet ProtocolSecure (IPSec), TLS, SSL), application control, Voice over InternetProtocol (VoIP) support, Virtual Private Networking (VPN), data leakprevention (DLP), antispam, antispyware, logging, reputation-basedprotections, event correlation, network access control, vulnerabilitymanagement, and the like. Such security functions may be deployedindividually as part of a point solution or in various combinations inthe form of a unified threat management (UTM) solution. Non-limitingexamples of network security appliances/devices include networkgateways, VPN appliances/gateways, UTM appliances (e.g., the FORTIGATEfamily of network security appliances), messaging security appliances(e.g., FORTIMAIL family of messaging security appliances), databasesecurity and/or compliance appliances (e.g., FORTIDB database securityand compliance appliance), web application firewall appliances (e.g.,FORTIWEB family of web application firewall appliances), applicationacceleration appliances, server load balancing appliances (e.g.,FORTIBALANCER family of application delivery controllers), networkaccess control appliances (e.g., FORTINAC family of network accesscontrol appliances), vulnerability management appliances (e.g.,FORTISCAN family of vulnerability management appliances), configuration,provisioning, update and/or management appliances (e.g., FORTIMANAGERfamily of management appliances), logging, analyzing and/or reportingappliances (e.g., FORTIANALYZER family of network security reportingappliances), bypass appliances (e.g., FORTIBRIDGE family of bypassappliances), Domain Name Server (DNS) appliances (e.g., FORTIDNS familyof DNS appliances), wireless security appliances (e.g., FORTIWIFI familyof wireless security gateways), virtual or physical sandboxingappliances (e.g., FORTISANDBOX family of security appliances), and DoSattack detection appliances (e.g., the FORTIDDOS family of DoS attackdetection and mitigation appliances).

The phrase “processing resource” is used in its broadest sense to meanone or more processors capable of executing instructions. Suchprocessors may be distributed within a network environment or may beco-located within a single network appliance. Based upon the disclosureprovided herein, one of ordinary skill in the art will recognize avariety of processing resources that may be used in relation todifferent embodiments.

The phrase “forward testing” is used in its broadest sense to be anyprocess whereby simulation is used in relation to establish rules todiscern the utility and/or efficacy of such rules. Thus, as one example,forward processing may include utilizing a firewall that has establishedone or more network processing rules to determine whether rules in anACL are properly operating. Such forward processing may use simulateddata or actual network data depending upon the particularimplementation. In such a case, the forward processing is used, forexample, to test a variety of what-if scenarios, to determine whatnetwork traffic gets blocked, to determine what network traffic isallowed, and/or to determine if one of a variety of applicationsavailable in the network environment operates properly when the rulesare applied.

Example embodiments will now be described more fully hereinafter withreference to the accompanying drawings, in which exemplary embodimentsare shown. This disclosure may, however, be embodied in many differentforms and should not be construed as limited to the embodiments setforth herein. It will be appreciated by those of ordinary skill in theart that the diagrams, schematics, illustrations, and the like representconceptual views or processes illustrating systems and methods embodyingvarious aspects of the present disclosure. The functions of the variouselements shown in the figures may be provided through the use ofdedicated hardware as well as hardware capable of executing associatedsoftware and their functions may be carried out through the operation ofprogram logic, through dedicated logic, through the interaction ofprogram control and dedicated logic.

Some embodiments provide methods for performing forward testing on anaccess control list in a network environment. Such methods include:accessing, by a processing resource, a first access control listincluding at least a first workload rule that allows a first type ofnetwork communication and a default rule, where the first type ofnetwork communication corresponds to a first application; modifying, bythe processing resource, the first access control list to yield a secondaccess control list, where the second access control list additionallyincludes at least a secure rule and a second workload rule, where thesecure rule blocks at least the first type of network communication,where the second workload rule allows a second type of networkcommunication, and where the second type of network communicationcorresponds to the second application; and forward testing, by theprocessing resource, the second access control list, where the forwardtesting includes applying a set of network control rules included in thesecond access control list in a sequence until one of the rules in theset of network control rules is satisfied, and wherein the sequenceincludes: applying the first workload rule before the secure rule;applying the secure rule before applying the second workload rule;applying the second workload rule before applying the default rule; andapplying the default rule. In some instances of the aforementionedembodiments, the methods further include modifying, by the processingresource, the default rule to block any network communication betweenany source and any destination.

In some instances of the aforementioned embodiments, the default ruleallows any network communication between any source and any destination.In some such instances, the method further include: logging, by theprocessing resource, any network communications allowed by applying thedefault rule to yield logged network communications; and reporting, bythe processing resource, the logged network communications. In somecases where the set of network control rules is a first set of networkcontrol rules, and the sequence is a first sequence, the methods furtherinclude forward testing, by the processing resource, a third accesscontrol list. The third access control list is the second access controllist modified to include a third workload rule implemented to address anissue reflected in the logged network communications. Forward testingthe third access control list includes applying a second set of networkcontrol rules included in the third access control list in a secondsequence until one of the rules in the second set of network controlrules is satisfied. The second sequence includes: applying the firstworkload rule before the secure rule; applying the secure rule beforeapplying the second workload rule or the third workload rule; applyingthe second workload rule and the third default rule before applying thedefault rule; and applying the default rule. In various instances of theaforementioned embodiments, the logged network communications are notrelated to the first application.

In one or more instances of the aforementioned embodiments where the setof network control rules is a first set of network control rules and thesequence is a first sequence, the methods further include: modifying, bythe processing resource, the secure rule to yield a modified securerule, where the modified secure rule blocks at least the second type ofnetwork communication in addition to the first type of networkcommunication; modifying, by the processing resource, the second accesscontrol list to yield a third access control list. The third accesscontrol list includes the modified secure rule and a third workload rulethat allows a third type of network communication corresponding to athird application. The methods further include forward testing, by theprocessing resource, the third access control list, where the forwardtesting includes applying a second set network control rules included inthe third access control list in a second sequence until one of therules in the second set of network control rules is satisfied. Thesecond sequence includes: applying the first workload rule and thesecond workload rule before the secure rule; applying the secure rulebefore applying the third workload rule; applying the third workloadrule before applying the default rule; and applying the default rule. Insome such instance, the default rule allows any network communicationbetween any source and any destination, and the methods further include:logging, by the processing resource, any network communications allowedby applying the default rule to yield logged network communications; andreporting, by the processing resource, the logged networkcommunications. The logged network communications are not related toeither the first application or the second application.

In some cases of the aforementioned embodiments, the processing resourceis included in a network appliance. In various such cases, the networkappliance is a network firewall.

Other embodiments provide network appliances that include a processingresource and a non-transitory computer readable medium coupled to theprocessing resource. The non-transitory computer-readable medium hasstored therein instructions that when executed by the processingresource cause the processing resource to: access a first access controllist including at least a first workload rule that allows a first typeof network communication and a default rule, where the first type ofnetwork communication corresponds to a first application; modify thefirst access control list to yield a second access control list, wherethe second access control list additionally includes at least a securerule and a second workload rule, where the secure rule blocks at leastthe first type of network communication, where the second workload ruleallows a second type of network communication, and where the second typeof network communication corresponds to the second application; andforward test the second access control list, where the forward testingincludes applying a set of network control rules included in the secondaccess control list in a sequence until one of the rules in the set ofnetwork control rules is satisfied. The sequence includes: applying thefirst workload rule before the secure rule; applying the secure rulebefore applying the second workload rule; applying the second workloadrule before applying the default rule; and applying the default rule. Insome instances of the aforementioned embodiments, the network applianceis a network firewall.

Yet other embodiments provide non-transitory computer-readable storagemedia embodying a set of instructions, which when executed by aprocessing resource, causes the processing resource to: access a firstaccess control list including at least a first workload rule that allowsa first type of network communication and a default rule, where thefirst type of network communication corresponds to a first application;modify the first access control list to yield a second access controllist, where the second access control list additionally includes atleast a secure rule and a second workload rule, where the secure ruleblocks at least the first type of network communication, where thesecond workload rule allows a second type of network communication, andwhere the second type of network communication corresponds to the secondapplication; and forward test the second access control list, where theforward testing includes applying a set of network control rulesincluded in the second access control list in a sequence until one ofthe rules in the set of network control rules is satisfied. The sequenceincludes: applying the first workload rule before the secure rule;applying the secure rule before applying the second workload rule;applying the second workload rule before applying the default rule; andapplying the default rule.

Yet other embodiments provide methods for focused development of a zerotrust network access policy. Such methods include: accessing a focuslist, wherein the focus list identifies at least one network element;monitoring network activity to yield a set of network traffic;identifying a set of workloads in the set of network traffic that areeither sourced from any of the at least one network focus, or destinedto any of the at least one network element; and augmenting an accesscontrol list to include one or more workload rules allowing the set ofworkloads. The network element may be, but is not limited to, a networkendpoint, a network appliance, an application, and/or a port of anetwork appliance.

In some instances of the aforementioned embodiments where the set ofnetwork traffic is a first set of network traffic and the set ofworkloads is a first set of workloads, the methods further include:monitoring network activity to yield a second set of network traffic;identifying a second set of workloads in the second set of networktraffic that are either sourced from any of the at least one networkfocus, or destined to any of the at least one network focus; identifyingat least one workload in the second set of workloads that is not in thefirst set of workloads; and augmenting the access control list toinclude the at least one workload in the second set of workloads that isnot in the first set of workloads.

In various instances of the aforementioned embodiments where networkelement is a first network element, the methods further include:identifying a second network element that is either the source of aworkload in the set of workloads or a destination of a workload in theset of workloads; and augmenting the focus list to include the secondnetwork element. In some such instances where the set of network trafficis a first set of network traffic and the set of workloads is a firstset of workloads, the methods further include: monitoring networkactivity to yield a second set of network traffic; identifying a secondset of workloads in the second set of network traffic that are eithersourced from any of the at least one network focus, or destined to anyof the at least one network element; identifying at least one workloadin the second set of workloads that is not in the first set ofworkloads; and augmenting the access control list to include the atleast one workload in the second set of workloads that is not in thefirst set of workloads.

In one or more instances of the aforementioned embodiments, the methodsfurther include identifying a first application associated with two ormore workloads in the set of workloads, and a second applicationassociated with two or more other workloads in the set of workloads. Insuch instances, augmenting the access control list to include one ormore workload rules allowing the set of workloads is an incrementalmodification, and wherein the incremental modification includes:augmenting the access control list to include first workload rulescorresponding to the two or more workloads associated with the firstapplication to yield a first augmented access control list; forwardtesting the first augmented access control list; subsequent to forwardtesting the first augmented access control list, augmenting the firstaccess control list to include second workload rules corresponding tothe two or more workloads associated with the second application toyield a second augmented access control list; and forward testing thesecond augmented access control list. In some such instances where theaccess control list includes a default rule that allows any networktraffic between any source and any destination, the forward testing thefirst augmented access control list includes: applying the firstworkload rules; and applying the default rule after the first workloadrules. In some such instances where the access control list includes adefault rule that allows any network traffic between any source and anydestination, the forward testing the second augmented access controllist includes: applying the first workload rules; applying the secondworkload rules; and applying the default rule after applying all of thefirst workload rules and the second workload rules.

In some instances of the aforementioned embodiments the access controllist includes a default rule that allows any network traffic between anysource and any destination. In some such instances, the methods furtherinclude modifying the default rule to block any network traffic betweenany source and any destination.

Yet other embodiments provide network appliances that include: aprocessing resource, and a non-transitory computer-readable mediumcoupled to the processing resource. The non-transitory computer readablemedium has stored therein instructions that when executed by theprocessing resource cause the processing resource to: access a focuslist, wherein the focus list identifies at least one network element;monitor network activity to yield a set of network traffic; identify aset of workloads in the set of network traffic that are either sourcedfrom any of the at least one network focus, or destined to any of the atleast one network element; and augment an access control list to includeone or more workload rules allowing the set of workloads.

Yet further embodiments provide non-transitory computer readable mediaembodying a set of instructions, which when executed by a processingresource, causes the processing resource to: access a focus list,wherein the focus list identifies at least one network element; monitornetwork activity to yield a set of network traffic; identify a set ofworkloads in the set of network traffic that are either sourced from anyof the at least one network focus, or destined to any of the at leastone network element; and augment an access control list to include oneor more workload rules allowing the set of workloads.

Yet additional embodiments provide methods for resilient access controllist development. Such methods include: identifying a first set ofworkloads in a set of network traffic that share at least a first trait,and a second set of workloads in the set of network traffic that shareat least a second trait; identifying a first suggested intent of thefirst set of workloads based upon metadata associated with the first setof workloads; identifying a second suggested intent of the second set ofworkloads based upon metadata associated with the second set ofworkloads; and consolidating a plurality of ports of the first set ofworkloads based at least in part on a network element associated withthe first set of workloads into a set of ports.

In some instances of the aforementioned embodiments, the identifying thefirst set of workloads in the set of network traffic and the second setof workloads in the set of network traffic includes eliminating networktraffic corresponding to a scanner. In various instances of theaforementioned embodiments, the identifying the first set of workloadsin the set of network traffic and the second set of workloads in the setof network traffic includes eliminating incomplete workflows. In somesuch cases, the incomplete workflows are associated with a scanneraccessing a closed port. In one or more such cases, the incompleteworkflows are associated with a scanner accessing an open port andfailing to respond to an acknowledgement returned from the open port.

In some instances of the aforementioned embodiments, the methods furtherinclude monitoring network activity to yield the set of network traffic.In some such instances, the monitoring network activity to yield the setof network traffic is done such that the network traffic does notinclude any traffic corresponding to a scanner or any incompleteworkflows. In one or more instances of the aforementioned embodiments,the methods further include receiving an access control list includingat least a first access control rule allowing defined activity overmultiple network ports, and second access control rule allowing definedactivity for workloads having the first suggested intent, and a thirdaccess control rule allowing defined activity for workloads having thesecond suggested intent. In some such instances, the multiple networkports may be a set of continuous network ports, or a set ofdiscontinuous network ports. In one or more instances of theaforementioned embodiments, the methods further include: forward testingthe access control list; modifying a default rule of the access controllist from allow to block; and deploying the access control list.

Yet further embodiments provide network appliances that include: aprocessing resource, and a non-transitory computer-readable mediumcoupled to the processing resource. The non-transitory computer-readablemedium has stored therein instructions that when executed by theprocessing resource cause the processing resource to: identify a firstset of workloads in a set of network traffic that share at least a firsttrait, and a second set of workloads in the set of network traffic thatshare at least a second trait; identify a first suggested intent of thefirst set of workloads based upon metadata associated with the first setof workloads; identify a second suggested intent of the second set ofworkloads based upon metadata associated with the second set ofworkloads; and consolidate a plurality of ports of the first set ofworkloads based at least in part on a network element associated withthe first set of workloads into a set of ports.

Yet other embodiments provide non-transitory computer-readable storagemedia embodying a set of instructions, which when executed by aprocessing resource, causes the processing resource to: identify a firstset of workloads in a set of network traffic that share at least a firsttrait, and a second set of workloads in the set of network traffic thatshare at least a second trait; identify a first suggested intent of thefirst set of workloads based upon metadata associated with the first setof workloads; identify a second suggested intent of the second set ofworkloads based upon metadata associated with the second set ofworkloads; and consolidate a plurality of ports of the first set ofworkloads based at least in part on a network element associated withthe first set of workloads into a set of ports.

Turning to FIG. 1A, network architecture 100 is shown in accordance withsome embodiments. In the context of network architecture 100, a networksecurity appliance 115 controls network traffic passing to/from asecured network 102. Secured network 102 may be any type ofcommunication network known in the art. Those skilled in the art willappreciate that, secured network 102 can be a wireless network, a wirednetwork or a combination thereof that can be implemented as one of thevarious types of networks, such as an Intranet, a Local Area Network(LAN), a Wide Area Network (WAN), an Internet, and the like. Further,network 102 can either be a dedicated network or a shared network. Theshared network represents an association of the different types ofnetworks that use a variety of protocols, for example, HypertextTransfer Protocol (HTTP), Transmission Control Protocol/InternetProtocol (TCP/IP), Wireless Application Protocol (WAP), and the like.

The control applied by network security appliance 115 is in part basedupon a network ACL 116 that includes a number of rules indicating whichtypes of network traffic are allowed to pass to/from secured network102, and which types of traffic are to be blocked from passing to/fromsecured network 102.

As more fully described below, a security orchestration system 120 isused to monitor network traffic passing through network securityappliance 115 to determine applications that are operating in relationto secured network 102 (e.g., application A 110, application B 111, andapplication C 112), and workloads corresponding to operation of therespective applications. Such workloads involve communications betweenone or more of the applications and one or more of a database A 106, adatabase B 107, a database C 108, a web A 103, a web B 104, and a web C105. Web A 103, web B 104, and web C 105 represent external networkdestinations.

Using this workload information, security orchestration system 120generates access control rules for each of the identified applications,provides forward testing of the rules on an application levelgranularity, and generates an ACL for secured network 102. Thisgenerated ACL is deployed by installation in place of network ACL 116.In some embodiments, security orchestration system 120 is implemented onthe same hardware as network security appliance 115 making it possibleto more efficiently monitor network traffic passing to/from securednetwork 102.

Turning to FIG. 1B, an implementation of security orchestration system120 is shown in accordance with some embodiments. In this embodiment,security orchestration system 120 includes a processing resource 121, amemory 122, a hard disk drive 126, and a network interface 127 that areall communicably coupled via a system bus 128. Processing resource 121may be any processors, group of processors, and/or processing circuitrythat is capable of executing instructions maintained in memory 122.Based upon the disclosure provided herein, one of ordinary skill in theart will recognize a variety processing resources that may be used inrelation to different embodiments.

Memory 122 may be a volatile memory such as random access memory (RAM),a non-volatile memory such as flash RAM, or some combination of volatileand non-volatile memory. Based upon the disclosure provided herein, oneof ordinary skill in the art will recognize a variety of implementationsof memory 122 that may be used in relation to different embodiments.Memory 122 stores a number of network security microservices (i.e., μ124 a, μ 124 b, μ 124 c, μ 124 d). Such network security microservicesconsist of computer-executable instructions to perform one or morespecific security services, are deployed based on configuration acrossavailable physical servers. In some cases, each microservice receives aconfiguration and tasks via a backplane of a virtual chassis 106, andreturns status, statistics, and other information to the backplane.

The data processed by security orchestration system 120 is transferredfrom a microservice to another (higher hierarchy) microservice using adata plane. In some embodiments, during such a transfer, a lowermicroservice decides (based on configuration, current statistics, andother information) as to which next microservice to utilize. Such adecision may constitute a load-balancing decision to assure that thehigher-hierarchy microservices are efficiently utilized. In otherembodiments, the decision of which microservice to utilize is made by amore central entity.

As illustrated, security orchestration system 120 utilizes processingresources 121 to execute microservices 124 and other applications (e.g.,virtual chassis 123, security orchestrator 130, etc.) stored in memory104. A network interface 127 (e.g., fabric or interconnect that is wiredor wireless) provides an apparatus for communicating with other devicesin a network environment. Security orchestration system 120 may inspecttraffic, detect threats, perform endpoint transformation processes,generate security policies (e.g., access control lists), and otherwiseprotect a network environment in part by using microservices 124.

In some embodiments, security orchestrator 130 is delivered (e.g.,downloaded) in the form of a seed software application. The seedsoftware application instantiates microservices of securityorchestration system 120 on a host in a network environment. As usedherein, a microservice container refers to where the microservice runs,for example, on a virtual machine. Once deployed, security orchestrator130 utilizes a processing resources 121, memory 122, and networkinterface 127. In some scenarios, security can be added/configured usingexisting hardware and/or without purchasing additional rack devices forparticular functionality. The seed software application may be installedon any one of a wide variety of hosts—be they slow or fast, low-cost orhigh-cost, commodity or customized, geographically dispersed, part of aredundancy scheme, or part of a system with regular back-ups.

In some embodiments, security orchestration system 120 utilizes networkinterface 127 to explore a network environment and to discover executingapplications and corresponding workloads, and determine securitysettings to apply to various network applications and/or workloads,detect available hosts and hardware resources. Based on performingnetwork environment discovery, security orchestration system 120, insome embodiments, may then offer or suggest available security tools forselection either through a graphical interface or via connections withexisting enterprise management software. In one embodiment, securityorchestration system 120 develops and deploys an access control listthat may be used by a network security device in the networkenvironment. Indeed, in some cases, security orchestration system 120 isimplemented on the same hardware (i.e., processing resources 121, memory122, hard disk drive 126, network interface 127, and system bus 128) asthe network security device. By virtue of the network security devicebeing “in-line” with data being received and transmitted in the networkenvironment, it is able to use the access control list developed bysecurity orchestrator 130 to allow acceptable traffic and blocknon-allowed traffic as part of implementing a ZTNA.

Security orchestrator 130 is configured to manage the evaluation ofnetwork traffic, determine endpoints within a networked environment,perform endpoint transformation process, and generate and deploysecurity policies that are executed on the transformed endpoints withinthe networked environment. Results of the aforementioned analysis areused by security orchestrator 130 to identify applications executing inthe network environment and workloads corresponding to the identifiedapplications.

Turning to FIG. 1C, an implementation of security orchestrator 130 isshown in accordance with some embodiments. Security orchestrator 130includes a traffic monitor module 131, an application identificationmodule 132, an incremental access control list generation module 133, aforward testing module 134, an exception reporting module 135, anexception response input module 136, an access control list deploymentmodule 137, a high value asset and/or application input module 138, anext generation high value asset and/or application identificationmodule 139, a focused learning module 140, and an intent suggestion andlabeling module 141.

Traffic monitor module 131 is configured to monitor network traffic thatpasses to and from secured network 102. Such traffic monitoring allowsfor identification of a number of workloads passing between variousendpoints. This network traffic can be group into similar destinations,origins, and/or the like for analysis. In some embodiments, such networktraffic monitoring may be done in accordance with that disclosed in U.S.Pat. No. 10,944,723 entitled “Systems and Methods for Managing Endpointsand Security Policies in a Networked Environment” that was previouslyincorporated by reference. In particular, FIGS. 6-8 and thecorresponding discussion in the aforementioned incorporated referencedescribe one approach for monitoring network traffic that may be used inrelation to some embodiments discussed herein. Such monitoring relies,at least in part, on meta information such as, for example, source anddestination of the network traffic, the ports used for the networkcommunication, the protocol used for the communication, othercharacteristics regarding the application communication that are derivedfrom deep-packet inspection of the traffic.

Application identification module 132 is configured to use the networktraffic identified by traffic monitor module 131 to identifyapplications executing within the network along with the workloadsassociated with the identified applications. In some embodiments, suchidentification of applications and corresponding workloads may be donein accordance with that disclosed in U.S. Pat. No. 10,944,723 entitled“Systems and Methods for Managing Endpoints and Security Policies in aNetworked Environment” that was previously incorporated by reference. Inparticular, FIGS. 9-11 and the corresponding discussion in theaforementioned incorporated reference describe one approach fortransforming network communication metadata collected as part of anetwork traffic monitoring process, and using the transformed metadatafor network identification (e.g., classification) processes. Applicationidentification module 132 forms a global list of all identifiedapplications and workloads corresponding to the respective applicationsis assembled, and identifies all workloads in the global list as notsecured. Identifying a workload as not secure may be done, for example,by setting a secure flag associated with the particular workload asfalse. Based upon the disclosure provided herein, one of ordinary skillin the art will recognize a variety of approaches that may be used foridentifying a workload as not secure.

Incremental access control list generation module 133 is configured toincorporate access control rules for given applications incrementallyinto an ACL. This includes adding rules governing workloads for a newlyselected application from the global list of all identified applicationsand workloads corresponding to the respective applications to the ACLbelow rules corresponding to a previously secured application, and priorto a default rule. The default rule allows network traffic from anysource to any destination. After forward testing for the newly updatedACL is completed and found acceptable, the ACL is again updated toindicate that the most recently selected application is consideredsecure and/or ZTNA compliant. The process can then be repeated for thenext application which is added to the ACL after the previously securedapplications and before the default rule. This process is more fullydescribed below in relation to FIG. 2 .

Forward testing module 134 is configured to deploy an interim ACL and tomonitor any network traffic that is allowed to pass by the default rule.As the rules in the ACL are processed sequentially and once a networkcommunication has been allowed or blocked by one rule, no additionalrules are considered. Because the default rule is the last rule in theACL, any network traffic that is allowed because of the default rule wasnot accounted for by any other rule. Such traffic is flagged by theforward testing module for consideration by a network administrator. Insome cases, forward testing module 134 is configured to operate similarto that discussed below in relation to FIG. 5 .

Exception reporting module 135 is configured to report any networktraffic that is allowed under a default rule of the incrementally goingACL. As the ACL is being forward tested after the addition of eachapplication, only the most recently added application has not yet beenfully secured. As such, any network traffic allowed because of thedefault rule is likely either part of a workload not originallyidentified as part of the newly added application or is some type ofnon-allowed network traffic. Accordingly, the report provided to thenetwork administrator includes a relatively small amount of informationcompared with that which would have possibly generated if an entire ACLfor a network was being forward tested at once. Further, as only oneapplication operating in the network has not previously been fullysecured (i.e., the most recently selected application), a networkadministrator does not have to consider every application to identifywhat application the network traffic corresponds. Rather, the networkadministrator need only consider the most recently selected applicationand the possibility of a non-allowed source or destination. This greatlysimplifies the processes to be performed by a network administratortasked with developing a ZTNA policy for a network.

Exception response input module 136 is configured to accept changes toan incrementally developing ACL from a network administrator. In someembodiments, exception response input module 136 is an editing tool thatallows the network administrator to make changes directly to the ACL.Based upon the disclosure provided herein, one of ordinary skill in theart will recognize a variety mechanisms and apparatus that may be usedto receive changes and make modifications to an ACL in accordance withdifferent embodiments.

Access control list deployment module 137 is configured to install theincrementally developed ACL into network appliance 115 where it will berelied upon to control access to secured network 102. In some cases,this installation is done the same way an incrementally developing ACLis forward tested. In some embodiments, the installation is complete atthe same time the last modifications to the ACL are completed and thedefault rule is changed to block to make secure network 102 ZTNAcompliant. Based upon the disclosure provided herein, one of ordinaryskill in the art will recognize a variety of approaches for deploying anACL developed in accordance with embodiments discussed herein.

High value asset and/or application input module 138 is configured toreceive an indication of a high value asset(s) and/or application(s)from, for example, a user interface; and to update a focus list toinclude the received high value asset(s) and/or application(s). Thenetwork elements included in the focus list are those that will be usedto focus the network traffic monitoring and formatting similar to thatdiscussed below in relation to FIGS. 6-7 .

Next generation high value asset and/or application identificationmodule 139 is configured to identify one or more network elements fromworkloads touching network elements previously included in the focuslist, and to update the focus list to include the identified elements.Again, the network elements included in the focus list are those thatwill be used to focus the network traffic monitoring and formattingsimilar to that discussed below in relation to FIGS. 6-7 .

Focused learning module 140 is configured to implement a focusedlearning approach for developing ZTNA policy. An example of such focusedlearning approaches are discussed below in relation to FIGS. 6-7 .

Intent suggestion and labeling module 141 is configured to identifysuggested intents for grouped workloads, label the grouped workloads,and consolidate multiple ports associated with similar workloads. Intentsuggestion and labeling module 141 may perform various of the functionsdiscussed below in relation to FIG. 10 .

Turning to FIG. 1D, an example computer system 160 is shown in which orwith which embodiments of the present disclosure may be utilized. Asshown in FIG. 1B, computer system 160 includes an external storagedevice 170, a bus 172, a main memory 174, a read-only memory 176, a massstorage device 178, one or more communication ports 1010, and one ormore processing resources (e.g., processing circuitry 182). In oneembodiment, computer system 160 may represent some portion of securityorchestration system 120, network security appliance 115, one or morecomputers on which applications A 110, application B 111, and/orapplication C 112 are executing, and/or one or more network serversgoverning database A 106, database B 107, and/or database C 108.

Those skilled in the art will appreciate that computer system 160 mayinclude more than one processing resource 182 and communication port180. Non-limiting examples of processing resources include, but are notlimited to, Intel Quad-Core, Intel i3, Intel i5, Intel i7, Apple M1, AMDRyzen, or AMD® Opteron® or Athlon MP® processor(s), Motorola® lines ofprocessors, FortiSOC™ system on chip processors or other futureprocessors. Processors 182 may include various modules associated withembodiments of the present disclosure.

Communication port 180 can be any of an RS-232 port for use with amodem-based dialup connection, a 10/100 Ethernet port, a Gigabit, 10Gigabit, 25G, 40G, and 100G port using copper or fiber, a serial port, aparallel port, or other existing or future ports. Communication port 760may be chosen depending on a network, such as a Local Area Network(LAN), Wide Area Network (WAN), or any network to which the computersystem connects.

Memory 174 can be Random Access Memory (RAM), or any other dynamicstorage device commonly known in the art. Read only memory 176 can beany static storage device(s) e.g., but not limited to, a ProgrammableRead Only Memory (PROM) chips for storing static information e.g.start-up or BIOS instructions for the processing resource.

Mass storage 178 may be any current or future mass storage solution,which can be used to store information and/or instructions. Non-limitingexamples of mass storage solutions include Parallel Advanced TechnologyAttachment (PATA) or Serial Advanced Technology Attachment (SATA) harddisk drives or solid-state drives (internal or external, e.g., havingUniversal Serial Bus (USB) and/or Firewire interfaces), e.g. thoseavailable from Seagate (e.g., the Seagate Barracuda 7200 family) orHitachi (e.g., the Hitachi Deskstar 7K1300), one or more optical discs,Redundant Array of Independent Disks (RAID) storage, e.g. an array ofdisks (e.g., SATA arrays), available from various vendors including DotHill Systems Corp., LaCie, Nexsan Technologies, Inc. and EnhanceTechnology, Inc.

Bus 172 communicatively couples processing resource(s) with the othermemory, storage and communication blocks. Bus 172 can be, e.g. aPeripheral Component Interconnect (PCI)/PCI Extended (PCI-X) bus, SmallComputer System Interface (SCSI), USB or the like, for connectingexpansion cards, drives and other subsystems as well as other buses,such a front side bus (FSB), which connects processing resources tosoftware system.

Optionally, operator and administrative interfaces, e.g., a display,keyboard, and a cursor control device, may also be coupled to bus 172 tosupport direct operator interaction with the computer system. Otheroperator and administrative interfaces can be provided through networkconnections connected through communication port 180. External storagedevice 190 can be any kind of external hard-drives, floppy drives,IOMEGA® Zip Drives, Compact Disc-Read Only Memory (CD-ROM), CompactDisc-Rewritable (CD-RW), Digital Video Disk-Read Only Memory (DVD-ROM).Components described above are meant only to show various possibilities.In no way should the aforementioned example computer system limit thescope of the present disclosure.

Turning to FIG. 2 , a flow diagram 200 shows a method in accordance withvarious embodiments for performing forward testing at an applicationlevel granularity. In particular flow diagram 200 shows a method thatincludes developing a multi-application ACL that is forward tested at anapplication level. To aid in understanding the multi-application ACLdeveloped using the method of FIG. 2 , FIG. 3 graphically represents anexample ACL 300 designed for zero trust network access in a networkenvironment with a single application, but is not designed toaccommodate application level forward testing. As shown, ACL 300includes four rules—three (Rule 1, Rule 2, and Rule 3) of which aredesigned specifically for an Application A and to allow access to a webfrom a secured network, and one (Rule 4) of which is a default rule thatserves to block all other traffic. In particular, Rule 1 allows anytraffic from the secured network to pass to a web using transmissioncontrol protocol (TCP) on port 80, Rule 2 allows traffic from the web toApplication A using TCP via port 443, and Rule 3 allows traffic fromApplication A to a database using TCP via port 3016. Rule 4 blocks alltraffic that does not qualify under one of Rule 1, Rule 2, or Rule 3.

In operation, each of the rules of ACL 300 are applied in order. Thus,when traffic is received, it is determined if it qualifies under Rule 1(i.e., is traffic from the secured network to the web). If the trafficqualifies, it is allowed and none of Rules 2-4 are considered.Alternatively, where the traffic does not qualify under Rule 1,qualification under Rule 2 (i.e., is the traffic from the web toApplication A) is considered. If the traffic qualifies under Rule 2, itis allowed and none of Rules 3-4 are considered. Alternatively, wherethe traffic does not qualify under Rule 3, qualification under Rule 3(i.e., is the traffic from Application A to the database) is considered.If the traffic qualifies under Rule 3, it is allowed and Rule 4 is notconsidered. Alternatively, the traffic is blocked under Rule 4. Thisdefault blockage effectively enforces ZTNA by disallowing allunidentified traffic.

While ACL 300 governs workloads from only a single application (i.e.,application A), one of ordinary skill in the art will appreciate thatACL 300 can be modified to include a large number of rules governingworkloads associated with a number of applications over which the ACLhas oversight (i.e., applications running on a secured network governedby the ACL). Such modification would include the addition of rulescorresponding to the additional workloads and/or applications betweenRule 3 and Rule 4. The default traffic blocking rule is the last rule inthe modified ALC to assure ZTNA compliance. Such a modified ACL,however, requires forward testing of all rules at once and does notprovide for testing at an application level granularity.

Turning again to FIG. 2 , an ACL is generated that is forward tested atan application level granularity. Following flow diagram 200, a SECUREDGROUP to null and an INCREMENTAL ACCESS CONTROL LIST are initialized toinclude a single rule (i.e., a default rule) to allow network trafficfrom any source to any destination (block 202). Turning to FIG. 4A, agraphical representation of a newly initialized incremental ACL 400 isshown that includes only a single rule (i.e., Rule 1) that allowsnetwork traffic from any source to any destination. Where such an ACL isused, no traffic would be blocked by, for example, a network firewallrelying on the ACL.

Returning to FIG. 2 , network traffic is monitored that passes to andfrom the network to be supported by the ACL developed using the methodof FIG. 2 (block 204). Such traffic monitoring allows for identificationof a number of workloads passing between various endpoints. This networktraffic can be group into similar destinations, origins, and/or the likefor analysis. In some embodiments, such network traffic monitoring maybe done in accordance with that disclosed in U.S. Pat. No. 10,944,723entitled “Systems and Methods for Managing Endpoints and SecurityPolicies in a Networked Environment” that was previously incorporated byreference. In particular, FIGS. 6-8 and the corresponding discussion inthe aforementioned incorporated reference describe one approach formonitoring network traffic that may be used in relation to someembodiments discussed herein. Such monitoring relies, at least in part,on meta information such as, for example, source and destination of thenetwork traffic, the ports used for the network communication, theprotocol used for the communication, other characteristics regarding theapplication communication that are derived from deep-packet inspectionof the traffic.

Using the network traffic identified in the monitoring process (block204), applications executing within the network along with the workloadsassociated with the applications are identified (block 206). In someembodiments, such identification of applications and correspondingworkloads may be done in accordance with that disclosed in U.S. Pat. No.10,944,723 entitled “Systems and Methods for Managing Endpoints andSecurity Policies in a Networked Environment” that was previouslyincorporated by reference. In particular, FIGS. 9-11 and thecorresponding discussion in the aforementioned incorporated referencedescribe one approach for transforming network communication metadatacollected as part of a network traffic monitoring process, and using thetransformed metadata for network identification (e.g., classification)processes.

A global list of all identified applications and workloads correspondingto the respective applications is assembled (block 208). All workloadsin the global list are identified as not secured. Identifying a workloadas not secure may be done, for example, by setting a secure flagassociated with the particular workload as false. Based upon thedisclosure provided herein, one of ordinary skill in the art willrecognize a variety of approaches that may be used for identifying aworkload as not secure.

It is determined whether any applications remain in the global list thathave not yet been processed for incorporation into the INCREMENTALACCESS CONTROL LIST (block 210). Where one or more applications remainfor processing (block 210), the first/next application in the globallist is selected (block 212), and the INCREMENTAL ACCESS CONTROL LIST isupdated to include all workloads identified as corresponding to theselected application (block 213). Turning to FIG. 4B, a graphicalrepresentation of an incremental ACL 410 is shown after adding a firstselected application (i.e., Application A) that includes threeidentified workloads (traffic to a web A, traffic from web A toApplication A, and traffic from Application A to Database A). The threeworkloads associated with the first selected application occupy thefirst three rules (Rule 1, Rule 2, and Rule 3), and the default rule ismoved to the last rule (Rule 4). While incremental ACL 410 is shown withApplication A having three workloads, one of ordinary skill in the artwill recognize that a different application may exhibit fewer or moreidentified workloads, and that the identified workloads for theapplication may be different and include network traffic directedbetween different network endpoints.

Returning to FIG. 2 , forward testing is applied using the INCREMENTALACCESS CONTROL LIST (block 220). This block is shown in dashed lines asdetail of this block is set forth in relation to FIG. 5 below. Duringforward testing, any network traffic that is allowed because of thedefault rule (i.e., any network traffic not allowed by a rule specificto a workload of a particular application) is flagged.

The flagged network traffic is reported to, for example, a networkadministrator as forward testing results (block 222). As only the mostrecently selected application (i.e., Application A in the case ofincremental ACL 410, or Application B in the case of incremental ACL430) has not yet been fully secured, any network traffic allowed becauseof the default rule is likely either part of a workload not originallyidentified as part of the newly selected application or is some type ofnon-allowed network traffic. Accordingly, the report provided to thenetwork administrator includes a relatively small amount of informationcompared with that which would have possibly generated if an entire ACLfor a network was being forward tested at once. Further, as only oneapplication operating in the network has not previously been fullysecured (i.e., the most recently selected application), a networkadministrator does not have to consider every application to identifywhat application the network traffic corresponds. Rather, the networkadministrator need only consider the most recently selected applicationand the possibility of a non-allowed source or destination. This greatlysimplifies the processes to be performed by a network administratortasked with developing a ZTNA policy for a network. Based upon thedisclosure provided herein, one of ordinary skill in the art willrecognize a variety of other advantages that may be achieved inaccordance with embodiments discussed herein, and a variety of reportsthat may be produced and provided based upon the forward testing appliedto the INCREMENTAL ACCESS CONTROL LIST.

It is determined whether a network administrator reviewing the reportedresults of forward testing has indicated a desired change to the rulesin the INCREMENTAL ACCESS CONTROL LIST (block 224). Where a change isindicated (block 224), the INCREMENTAL ACCESS CONTROL LIST is modifiedto reflect the received change request (block 226) and the processes ofblocks 220-224 are repeated for the updated INCREMENTAL ACCESS CONTROLLIST. The changes should be limited to the rules corresponding to themost recently selected application. Based upon the disclosure providedherein, one of ordinary skill in the art will recognize a variety ofapproaches that may be used in relation to different embodiments for anetwork administrator to indicate a change. As one example, a networkadministrator may simply edit the INCREMENTAL ACCESS CONTROL LIST tomake a desired change.

Alternatively where no changes are indicated (block 224), the mostrecently selected application is considered compliant with a ZTNApolicy. In such a situation, each of the workloads associated with themost recently selected application are identified as secure (block 214).Identifying a workload as secure may be done, for example, by setting asecure flag associated with the particular workload as true. Based uponthe disclosure provided herein, one of ordinary skill in the art willrecognize a variety of approaches that may be used for identifying aworkload as secure.

Further, the SECURED GROUP is augmented to include all of the workloadsthat were newly identified as secured (block 216). For the firstselected application, such augmenting of the SECURED GROUP includesadding the workloads for the most recently selected application to anotherwise empty group. In contrast, for the second and laterapplications that are being processed, augmenting the SECURED GROUP willinclude adding the workloads newly identified as secured to thosepreviously included in the SECURED GROUP.

Additionally the INCREMENTAL ACCESS CONTROL LIST is updated to includeall secure workloads (block 218). This includes setting forth rulesspecifically allowing traffic of each workload corresponding to theselected application, and rules general to the SECURED GROUP. The rulesgeneral to the SECURED GROUP are two: (1) blocking traffic from anysource to any destination included in the SECURED GROUP using anyprotocol or port, and (2) blocking traffic from any source included inthe SECURED GROUP to any destination using any protocol or port.

Turning to FIG. 4C, a graphical representation of an incremental accesscontrol list 420 is shown that includes a single application (i.e.,Application A) that includes three identified workload tiers/groups(traffic to a web A, traffic from web A to Application A, and trafficfrom Application A to Database A) that is considered compliant with aZTNA policy. Two rules are added to incremental access control list 410:a rule (i.e., Rule 4) blocking any traffic from the SECURED GROUP to anydestination, and a rule (i.e., Rule 5) blocking any traffic from anydestination to the SECURED GROUP. As the rules are processed in order,any traffic allowed for Application A will have been processed underRule 1, Rule 2, or Rule 3, and any other traffic associated withApplication A will be blocked under Rule 4 or Rule 5. All other trafficunrelated to Application A will be allowed under the default rule (Rule6).

Returning to FIG. 2 , after updating the INCREMENTAL ACCESS CONTROL LISTto reflect all rules related to the most recently selected application(blocks 214-218), it is determined whether another application remainsin the global list that have not yet been processed for incorporationinto the INCREMENTAL ACCESS CONTROL LIST (block 210).

Where one or more applications remain for processing (block 210), thenext application in the global list is selected (block 212), and theINCREMENTAL ACCESS CONTROL LIST is updated to include all workloadsidentified as corresponding to the selected application (block 213).Updating the INCREMENTAL ACCESS CONTROL LIST includes adding a rulesprior to the default rule, where the added rules are specific to each ofidentified workloads and specifically allow network traffic associatedwith the identified workloads. Turning to FIG. 4D, a graphicalrepresentation of an incremental ACL 430 is shown after adding a secondselected application (i.e., Application B) that includes threeidentified workload tiers/groups (traffic to a web B, traffic from web Bto Application B, and traffic from Application B to Database B). Thethree workload tiers/groups associated with the second selectedapplication occupy the three rules immediately prior to the default rule(Rule 6, Rule 7, and Rule 8), and the default rule is moved to the lastrule (Rule 9). While incremental ACL 430 is shown with Application Bhaving three workloads, one of ordinary skill in the art will recognizethat a different application may exhibit fewer or more identifiedworkloads, and that the identified workloads for the application may bedifferent and include network traffic directed between different networkendpoints

Returning to FIG. 2 , forward testing is applied using the newly updatedINCREMENTAL ACCESS CONTROL LIST (block 220). Again, during forwardtesting any network traffic that is allowed because of the default rule(i.e., any network traffic not allowed by a rule specific to a workloadof a particular application) is flagged.

The flagged network traffic is reported to the network administrator asforward testing results (block 222). As only the most recently selectedapplication has not yet been fully secured, any network traffic allowedbecause of the default rule is likely either part of a workload notoriginally identified as part of the newly selected application or issome type of non-allowed network traffic. In the case of forward testingincremental ACL 430, any network traffic allowed because of the defaultrule is likely either part of a workload not originally identified aspart of Application B or is some type of non-allowed network traffic.Traffic corresponding to Application A should not occur as it wassecured during a prior pass through blocks 220, 222, 226, 214, 216, 218.Again, this greatly reduces the complexity faced by a networkadministrator tasked with developing a ZTNA policy for a network.

It is determined whether a network administrator reviewing the reportedresults of forward testing has indicated a desired change to the rulesin the INCREMENTAL ACCESS CONTROL LIST (block 224). Where a change isindicated (block 224), the INCREMENTAL ACCESS CONTROL LIST is modifiedto reflect the received change request (block 226) and the processes ofblocks 220-224 are repeated for the updated INCREMENTAL ACCESS CONTROLLIST. Again, the changes should be limited to the rules corresponding tothe most recently selected application.

Alternatively where no changes are indicated (block 224), the mostrecently selected application (e.g., Application B in the case ofincremental ACL 430) is considered compliant with the ZTNA policy. Insuch a situation, each of the workloads associated with the mostrecently selected application are identified as secure (block 214).Identifying a workload as secure may be done, for example, by setting asecure flag associated with the particular workload as true. Based uponthe disclosure provided herein, one of ordinary skill in the art willrecognize a variety of approaches that may be used for identifying aworkload as secure.

Further, the SECURED GROUP is augmented to include all of the workloadsthat were newly identified as secured (block 216). Again, for the secondand later applications that are being processed, augmenting the SECUREDGROUP will include adding the workloads newly identified as secured tothose previously included in the SECURED GROUP.

Additionally the INCREMENTAL ACCESS CONTROL LIST is updated to includeall secure workloads (block 218). This includes setting forth rulesspecifically allowing traffic of each workload corresponding to theselected application, and rules general to the SECURED GROUP. The rulesgeneral to the SECURED GROUP are two: (1) blocking traffic from anysource to any destination included in the SECURED GROUP using anyprotocol or port, and (2) blocking traffic from any source included inthe SECURED GROUP to any destination using any protocol or port. Thesegeneral rules are moved to the two rules immediately preceding thedefault rule in the INCREMENTAL ACCESS CONTROL LIST.

Turning to FIG. 4E, a graphical representation of an incremental accesscontrol list 440 is shown that includes two applications (i.e.,Application A and Application B) that each includes three identifiedworkloads (traffic to a web A, traffic from web A to Application A, andtraffic from Application A to Database A; and traffic to a web B,traffic from web B to Application B, and traffic from Application B toDatabase B) that are considered compliant with a ZTNA policy. The rulescorresponding to the recently updated SECURED GROUP are included as Rule7 and Rule 8 are included immediately prior to the default rule (i.e.,Rule 9). As the rules are processed in order, any traffic allowed forApplication A will have been processed under Rule 1, Rule 2, or Rule 3;any traffic allowed for Application B will have been processed underRule 4, Rule 5, or Rule 6; and any other traffic associated with eitherApplication A or Application B will be blocked under Rule 7 or Rule 8.All other traffic unrelated to either Application A or Application Bwill be allowed under the default rule (Rule 9).

Returning to FIG. 2 , after updating the INCREMENTAL ACCESS CONTROL LISTto reflect all rules related to the most recently (blocks 214-218), itis determined whether another application remains in the global listthat have not yet been processed for incorporation into the INCREMENTALACCESS CONTROL LIST (block 210). Once no additional applications remainfor processing in the global list (block 210), forward testing iscomplete (block 228). The default rule is modified from allow to blockto enforce ZTNA and the INCREMENTAL ACCESS CONTROL LIST is deployed.Such deployment may be as simple as beginning operation of the networkwhere a network security appliance uses the INCREMENTAL ACCESS CONTROLLIST to control what network traffic is allowed to pass to and from asecured network. Turning to FIG. 4F, a graphical representation is shownof an incremental access control list 450 that is incremental ACL 440where the default rule (i.e., Rule 9) is changed from allow to block inaccordance with the process of block 228 of FIG. 2 .

While the examples in FIGS. 4A-4F show an incremental ACL developed withtwo applications, one of ordinary skill in the art will recognize thatthe processes of FIG. 2 may be repeated for any number of applicationsto be operated in a network environment. Further, while the applicationsshown in the examples in FIGS. 4A-4F each include the same number andtypes of workloads, one of ordinary skill in the art will appreciateother types of applications will include different types and numbers ofworkloads, and may be handled as discussed above in relation to FIG. 2 .

Turning to FIG. 5 , a flow diagram 500 shows a method in accordance withsome embodiments for forward testing an ACL on an applicationgranularity. Following flow diagram 500, it is determined if a networktraffic communication has been received (block 502). A network trafficcommunication is received any time an attempt is made to access anendpoint outside of a secured network from within the secured network orany time an attempt is made to access an endpoint within the securednetwork from beyond the secured network. Based upon the disclosureprovided herein, one of ordinary skill in the art will recognize avariety of network traffic that may be identified in relation to theoperations of flow diagram 500.

Periodically, it is determined whether a timeout condition has been met(block 520). Such a timeout condition may be a certain time or may be acertain number of received network traffic communications. Based uponthe disclosure provided herein, one of ordinary skill in the art willrecognize a variety of timeout conditions that may be used. Where thetimeout condition has not been met (block 520), processing is returnedto await the next network traffic. Alternatively, where the timeoutcondition has been met (block 520), forward testing is ended (block 522)leaving the logged default exceptions.

Where network traffic has been received (block 502), a rule count isinitialized at “1” (block 504) and the rule corresponding to the rulecount (in this case Rule 1) is selected from the INCREMENTAL ACCESSCONTROL LIST (block 506). It is determined where the selected ruleapplies to the received (block 508). Using ACL 420 of FIG. 4A as aspecific example, it is determined whether the network traffic isdestined for web A using TCP via port 80.

Where the selected Rule applies to the received network traffic (block508), it is determined whether the selected rule is the default rule forthe INCREMENTAL ACCESS CONTROL LIST (i.e., the last rule in theACL)(block 510). Where it is not the default rule (block 510), theselected rule is applied and the process returns to block 502 to awaitthe next network traffic (block 512). Thus, using the example of FIG.4A, where the selected rule is Rule 1 and the destination of the networktraffic is to web A, the traffic is allowed and processing is returnedto await the next network traffic.

Alternatively, where the selected rule is the default rule (block 510),a default exception is logged (block 514). Such a default exceptionindicates that network traffic was received that was not properlyhandled by any of the preceding rules in the INCREMENTAL ACCESS CONTROLLIST. The default rule is applied to the network traffic and the processreturns to block 502 to await the next network traffic (block 512).Using the example of FIG. 4A, where the selected rule is the defaultrule (i.e., Rule 6) the network traffic is allowed and processing isreturned to await the next network traffic.

Alternatively, where the selected rule does not apply to the receivednetwork traffic (block 508), the rule count is incremented (block 518)and the rule indicated by the rule count is selected (block 506) beforethe processes of blocks 508-516 are repeated for the next rule. Thisprocess of sequencing through the rules in the INCREMENTAL ACCESSCONTROL LIST continues until rule count is incremented to the defaultrule, and the processes of blocks 510-516 are followed for the defaultrule.

If the INCREMENTAL ACCESS CONTROL LIST is correct, the defaultexceptions will not include any network traffic related to the firstapplication. Rather, all of the default traffic will be either undesiredor germane to another application. As discussed in relation to FIG. 2above, where the default traffic includes traffic germane to the mostrecently selected application (in the case of FIG. 4A this would beApplication A; in the case of FIG. 4B this would be Application B; andin the case of FIG. 4C this would be Application C) an administratorwould see this and modify the INCREMENTAL ACCESS CONTROL LIST toaccommodate the network traffic improperly handled under the defaultrule. As such, by the time forward testing of the INCREMENTAL ACCESSCONTROL LIST including only the first selected application is complete,rules specific to the first selected application have been forwardtested and validated. Again using FIG. 4A as an example, this would meanthat Rule 1, Rule 2, and Rule 3 of ACL 400 would be validated.

At this juncture, the next pass through the forward testing process offlow diagram 500 would test the INCREMENTAL ACCESS CONTROL LIST afteradding workloads for the next application. Because the rules specific tothe prior selected application are already validated, any considerationof network traffic processed by the default rule need only be consideredfrom the perspective of the rules specific to the workloads specific tothe newly selected application. Thus, using FIG. 4B as an example, anydefault exceptions logged when forward testing using ACL 410 areconsidered only in light of Rule 4, Rule 5, and Rule 6 that are specificto the Application B. The same is true for ACL 420 where all of Rule 1,Rule 2, Rule 3, Rule 4, Rule 5, Rule 6 were verified and validated inprior forward testing of ACL 400 and ACL 410, leaving only Rule 7, Rule8, and Rule 9 that are specific to the Application C for verificationand validation. As mentioned above, by performing forward testing at anapplication granularity, the validity of only a small number of rules ofan overall ACL need be considered at a given time.

Turning to FIGS. 6A-6B, flow diagram 600 and flow diagram 616 show amethod in accordance with some embodiments for developing a zero trustnetwork access from the perspective of one or more identified networkelements. Turning specifically to FIG. 6A and following flow diagram600, a focus group is initialized as null (block 602), and an indicationof a high value asset(s) and/or application(s) is received (block 604).The high value asset(s) and/or applications may be identified, forexample, by a network administrator reviewing a physical asset map of anetwork and selecting one or more of the assets and/or applicationsoperating in the network as a focus for a machine learning moduleresponsible for identifying workloads and determining applications towhich the workloads belong. As an example, the network administrator mayidentify a particular network database as a high value asset. Theidentified high value asset(s) and/or application(s) are then providedas an input. Based upon the disclosure provided herein, one of ordinaryskill in the art will recognize a variety of high value asset(s) and/orapplication(s) that may be selected in accordance with differentembodiments, and a number of mechanisms that may be used to identify theselected high value asset(s) and/or application(s) for processing.

The focus group is augmented to include the newly identified high valueasset(s) and/or application(s) (block 606). This focus group becomes thefocus of the identification of workloads and applications to be secured.

Network traffic is monitored that is either transmitted to or receivedfrom one of the high value asset(s) and/or application(s) included inthe focus group (block 608). Such traffic monitoring allows foridentification of a number of workloads directly touching thespecifically identified network elements. By focusing the monitoring onthose network elements specifically identified in the focus group, onlya subset of the overall network traffic is considered for grouping intosimilar destinations, origins, and/or the like for analysis. In someembodiments, such network traffic monitoring may be done in accordancewith that disclosed in U.S. Pat. No. 10,944,723 entitled “Systems andMethods for Managing Endpoints and Security Policies in a NetworkedEnvironment” that was previously incorporated by reference. Inparticular, FIGS. 6-8 and the corresponding discussion in theaforementioned incorporated reference describe one approach formonitoring network traffic that may be used in relation to someembodiments discussed herein. Such monitoring relies, at least in part,on meta information such as, for example, source and destination of thenetwork traffic, the ports used for the network communication, theprotocol used for the communication, other characteristics regarding theapplication communication that are derived from deep-packet inspectionof the traffic.

This process of monitoring (block 608) is continued for a defined period(block 610). The defined period may be fixed or user programmable. Insome cases, the defined period is set to allow for a sufficient numberof network transactions to occur such that multiple instances ofworkloads associated with applications may be identified, and thusfacilitate the automated identification of assets and correspondingworkloads within the network environment.

Once the monitor period has expired (block 610), similar workloadswithin the monitored network traffic are identified (block 612). Thesimilarity of the workloads may be identified based upon any number ofcommonality in metadata about the workloads. For example, all workloadsfrom a particular endpoint or to a particular endpoint may be grouped.As another example, all workloads from a particular endpoint on aparticular port may be grouped. As yet another example, all workloads toa particular endpoint and having an attached file may be grouped. Basedupon the disclosure provided herein, one of ordinary skill in the artwill recognize a variety of basis upon which workloads may be consideredsimilar to other workloads, and grouped together as similar workloads.

The similar workloads are grouped together into application tiers basedupon which application with which they are associated (block 614). Insome embodiments, such identification of applications and correspondingworkloads may be done in accordance with that disclosed in U.S. Pat. No.10,944,723 entitled “Systems and Methods for Managing Endpoints andSecurity Policies in a Networked Environment” that was previouslyincorporated by reference. In particular, FIGS. 9-11 and thecorresponding discussion in the aforementioned incorporated referencedescribe one approach for transforming network communication metadatacollected as part of a network traffic monitoring process, and using thetransformed metadata for network identification (e.g., classification)processes. As just one example, the workloads for an application may beidentified in three tiers (i.e., a web tier, an application tier, and adatabase tier) similar to that shown for Application A of ACL 410 ofFIG. 4B.

A global list of all identified applications and workloads correspondingto the respective applications is assembled (block 616). All workloadsin the global list are identified as not secured. Identifying a workloadas not secure may be done, for example, by setting a secure flagassociated with the particular workload as false. Based upon thedisclosure provided herein, one of ordinary skill in the art willrecognize a variety of approaches that may be used for identifying aworkload as not secure.

A ZTNA policy is then determined for the workloads in the global list(block 618). In some cases, forming the ZTNA policy may be done by anetwork administrator manually defining an ACL indicating that one ormore of the identified workloads are allowable. Such an ACL may besimilar to, for example, ACL 300 of FIG. 3 that secures a database thataccessed by a single application. While ACL 300 is shown as includingone database accessed by a single application (Application A), it isnoted that the ACL created by the network administrator may includeseveral network assets and/or network applications.

In other cases, forming the ZTNA policy may be done by automaticallyusing a process similar to that shown in flow diagram 618 of FIG. 6B(i.e., the same number as the block in FIG. 6A as flow diagram 618represents a replacement for the block in FIG. 6A). Turning to FIG. 6Band following flow diagram 618, it is determined whether anyapplications remain in the global list that have not yet been processedfor incorporation into an ACL (block 654). Where one or moreapplications remain for processing (block 654), the first/nextapplication in the global list is selected (block 565), and the ACL isupdated to include all workloads identified as corresponding to theselected application (block 658). Where it is the first applicationbeing added to the ACL, the ACL that is formed is similar to thatdiscussed above in relation to FIG. 4B. Where it is a second or laterapplication being added to the ACL, the ACL that is formed is similar tothat discussed above in relation to FIG. 4D.

Forward testing is applied using the updated ZTNA policy including theupdated ACL (block 660). This block is shown in dashed lines as detailof this block is set forth in relation to FIG. 5 above. During forwardtesting, any network traffic that is allowed because of the default rule(i.e., any network traffic not allowed by a rule specific to a workloadof a particular application) is flagged.

The flagged network traffic is reported to, for example, a networkadministrator as forward testing results (block 662). As only the mostrecently selected application (i.e., Application A in the case ofincremental ACL 410, or Application B in the case of incremental ACL430) has not yet been fully secured, any network traffic allowed becauseof the default rule is likely either part of a workload not originallyidentified as part of the newly selected application or is some type ofnon-allowed network traffic. Accordingly, the report provided to thenetwork administrator includes a relatively small amount of informationcompared with that which would have possibly generated if an entire ACLfor a network was being forward tested at once. Further, as only oneapplication operating in the network has not previously been fullysecured (i.e., the most recently selected application), a networkadministrator does not have to consider every application to identifywhat application the network traffic corresponds. Rather, the networkadministrator need only consider the most recently selected applicationand the possibility of a non-allowed source or destination. This greatlysimplifies the processes to be performed by a network administratortasked with developing a ZTNA policy for a network.

It is determined whether a network administrator reviewing the reportedresults of forward testing has indicated a desired change to the rulesin the ZTNA policy including the ACL (block 664). Where a change isindicated (block 664), the ZTNA policy including the ACL is modified toreflect the received change request (block 666) and the processes ofblocks 658-664 are repeated for the updated ZTNA policy. The changesshould be limited to the rules corresponding to the most recentlyselected application. Based upon the disclosure provided herein, one ofordinary skill in the art will recognize a variety of approaches thatmay be used in relation to different embodiments for a networkadministrator to indicate a change. As one example, a networkadministrator may simply edit the ACL to make a desired change.

Alternatively where no changes are indicated (block 664), the mostrecently selected application is considered a compliant ZTNA policy. Insuch a situation, each of the workloads associated with the mostrecently selected application are identified as secure (block 670).Identifying a workload as secure may be done, for example, by setting asecure flag associated with the particular workload as true. Based uponthe disclosure provided herein, one of ordinary skill in the art willrecognize a variety of approaches that may be used for identifying aworkload as secure.

Further, the secured group is augmented to include all of the workloadsthat were newly identified as secured (block 672). For the firstselected application, such augmenting of the secured group includesadding the workloads for the most recently selected application to anotherwise empty group. In contrast, for the second and laterapplications that are being processed, augmenting the secured group willinclude adding the workloads newly identified as secured to thosepreviously included in the secured group.

Additionally the ACL is updated to include all secure workloads (block674). This includes setting forth rules specifically allowing traffic ofeach workload corresponding to the selected application, and rulesgeneral to the secured group. The rules general to the secured group aretwo: (1) blocking traffic from any source to any destination included inthe secured group using any protocol or port, and (2) blocking trafficfrom any source included in the secured group to any destination usingany protocol or port. FIG. 4C discussed above shows an example of an ACLincluding a single application (i.e., Application A) that includes threeidentified workload tiers (traffic to a web A, traffic from web A toApplication A, and traffic from Application A to Database A) is shownwith the application secured; and FIG. 4E discussed above shows anexample of an ACL including two applications (i.e., Application A andApplication B) each with three identified workload tiers is shown withboth of the applications secured.

After updating the ZTNA policy including the ACL to reflect all rulesrelated to the most recently selected application (blocks 670-674), itis determined whether another application remains in the global listthat have not yet been processed for incorporation into the ACL (block654).

Where one or more applications remain for processing (block 654), theprocesses of blocks 656-674 are repeated for the next selectedapplication. Once no additional applications remain for processing inthe global list (block 654), forward ZTNA policy for the currentlyreceived network traffic is complete (block 654), and the process isreturned to block 620 of FIG. 6A.

Returning to FIG. 6A and following flow diagram 600, it is determined ifprocessing the most recent block of network traffic (i.e., networktraffic recently assembled in block 608) resulted in any change to theZTNA policy (block 620). Where any changes resulted in the ZTNA policy(block 620), the processes of blocks 606-620 are repeated for anotherblock of network traffic where only workloads that were not previouslyconsidered are processed for inclusion in the ZTNA policy including theACL.

Alternatively, where no changes were made to the ZTNA policy (block620), the assets and/or applications included in the focus list areconsidered protected. It is then determined whether there are anyasset(s) and/or applications touched by the previously consideredworkloads that have not yet been considered (block 622). Thus, forexample, where the focus list original included only a particulardatabase, all workloads directly touching the database are secured, butone or more applications or other assets that are the source ofdestination of the previously considered workloads may not yet have beenconsidered. Using FIG. 1A as an example, database C 108 may be thedestination of a workload corresponding of a data transfer fromapplication C 112 to database C 108. This workload would have beenconsidered and included in the ZTNA policy, but other workloadsassociated with application C 112 that do not directly touch database C108 would not yet have been considered.

Where one or more assets and/or applications with direct contact tothose in the focus list have not themselves been the subject of scrutinyapplied to those in the focus list (block 622), theseassets/applications are identified (block 628) and the focus list isaugmented to include the additionally identified high value assetsand/or applications (block 606). With the focus list thus augmented, theprocesses of blocks 608-628 are repeated where additional workloadscorresponding to the newly added high value assets and/or applicationsare considered and included in a growing ZTNA policy.

Once no additional high value assets and/or applications are identified(block 622), the ZTNA policy is considered complete for the originalfocus. As such, the default rule of the ACL included in the ZTNA policyis modified from allow to block to enforce ZTNA policy including the ACL(block 624) and the ZTNA policy including the ACL is deployed (block626). Such deployment may be as simple as beginning operation of thenetwork where a network security appliance uses the ACL to control whatnetwork traffic is allowed to pass to and from a secured network. FIG.4F shows an example of an ACL after modification of the default rule.

It is possible that using such a focus will ultimately result incovering all assets and applications in a network environment. In somecases, however, one or more assets and/or applications in the networkenvironment will be sufficiently isolated that performing the processesof flow diagram 600 will not result in covering all assets and/orapplications. In some embodiments, the process may be purposely limitedto a defined number of degrees of separation from the originallyidentified high value asset(s) and/or application(s) (i.e., thosereceived in block 602). Such would be done by limiting the number oftimes block 622 would be allowed to identify additional non-consideredassets and/or applications. In one particular embodiment, block 622 isonly allowed to find additional assets and/or applications two timesresulting in coverage of workloads within two degrees of separation fromthe originally identified high value asset(s) and/or application(s)(i.e., those received in block 602). Based upon the disclosure providedherein, one of ordinary skill in the art will recognize a variety ofdegrees of separation that would be appropriate in a given scenario inaccordance with different embodiments.

Turning to FIG. 7 , a flow diagram 700 shows a method in accordance withone or more embodiments for developing a zero trust network access forspecifically identified network elements. Following flow diagram 700, anindication of a high value asset(s) and/or application(s) is received(block 704). The high value asset(s) and/or applications may beidentified, for example, by a network administrator reviewing a physicalasset map of a network and selecting one or more of the assets and/orapplications operating in the network as a focus for a machine learningmodule responsible for identifying workloads and determiningapplications to which the workloads belong. As an example, the networkadministrator may identify a particular network database as a high valueasset. The identified high value asset(s) and/or application(s) are thenprovided as an input. Based upon the disclosure provided herein, one ofordinary skill in the art will recognize a variety of high valueasset(s) and/or application(s) that may be selected in accordance withdifferent embodiments, and a number of mechanisms that may be used toidentify the selected high value asset(s) and/or application(s) forprocessing.

A focus group is defined to include the newly identified high valueasset(s) and/or application(s) (block 706). This focus group becomes thefocus of the identification of workloads and applications to be secured.

Network traffic is monitored that is either transmitted to or receivedfrom one of the high value asset(s) and/or application(s) included inthe focus group (block 708). Such traffic monitoring allows foridentification of a number of workloads directly touching thespecifically identified network elements. By focusing the monitoring onthose network elements specifically identified in the focus group, onlya subset of the overall network traffic is considered for grouping intosimilar destinations, origins, and/or the like for analysis. In someembodiments, such network traffic monitoring may be done in accordancewith that disclosed in U.S. Pat. No. 10,944,723 entitled “Systems andMethods for Managing Endpoints and Security Policies in a NetworkedEnvironment” that was previously incorporated by reference. Inparticular, FIGS. 6-8 and the corresponding discussion in theaforementioned incorporated reference describe one approach formonitoring network traffic that may be used in relation to someembodiments discussed herein. Such monitoring relies, at least in part,on meta information such as, for example, source and destination of thenetwork traffic, the ports used for the network communication, theprotocol used for the communication, other characteristics regarding theapplication communication that are derived from deep-packet inspectionof the traffic.

This process of monitoring (block 708) is continued for a defined period(block 710). The defined period may be fixed or user programmable. Insome cases, the defined period is set to allow for a sufficient numberof network transactions to occur such that multiple instances ofworkloads associated with applications may be identified, and thusfacilitate the automated identification of assets and correspondingworkloads within the network environment.

Turning to FIG. 8A, an example set 810 of workloads touching either anApplication A or a database C are shown. Such workloads may beidentified as part of the workload monitoring process (i.e., block 708of FIG. 7 ) where the focus list identifies Application A and DatabaseC. As shown, set 810 of workloads includes four workloads (i.e., aworkload from Application A to the Web using TCP over port 80, aworkload from the Web to the Database C using TCP over port 443, aworkload from an Endpoint X to Database C using TCP over port 3020, anda workload from an Endpoint Y to Application A using TCP over port 80.

Returning to FIG. 7 , once the monitor period has expired (block 710), aZTNA policy is determined for the workloads that include one of theassets and/or applications in the focus group as either a source or adestination (block 716). In some cases, forming the ZTNA policy may bedone by a network administrator manually defining an ACL indicating thatone or more of the identified workloads are allowable. Turning to FIG.8B, an example ACL 820 for the workloads included in set 810 is shown.As shown, ACL 820 includes five rules—one for each of the workloads inset 810 (Rules 1-4), and a default rule (Rule 5).

Returning to FIG. 7 , it is determined if processing the most recentblock of network traffic (i.e., network traffic recently assembled inblock 708) resulted in any change to the ZTNA policy (block 718). Whereany changes resulted in the ZTNA policy (block 718), the processes ofblocks 708-718 are repeated for another block of network traffic whereonly workloads that were not previously considered are processed forinclusion in the ZTNA policy including the ACL.

Alternatively, where no changes were made to the ZTNA policy (block718), the assets and/or applications included in the focus list areconsidered protected. As such, the default rule of the ACL included inthe ZTNA policy is modified from allow to block to enforce ZTNA policyincluding the ACL (block 720) and the ZTNA policy including the ACL isdeployed (block 722). Such deployment may be as simple as beginningoperation of the network where a network security appliance uses the ACLto control what network traffic is allowed to pass to and from a securednetwork. FIG. 8C shows an example of an ACL 830 after modification ofthe default rule.

Turning to FIG. 9 , a flow diagram 900 shows a method in accordance withvarious embodiments for developing a resilient zero trust network accesspolicy based upon intent defined groups of workloads. Following flowdiagram 900, network traffic is monitored that passes to and from anetwork appliance (block 902). Such traffic monitoring allows foridentification of a number of workloads passing between variousendpoints. This network traffic can be group into similar destinations,origins, and/or the like for analysis. In some embodiments, such networktraffic monitoring may be done in accordance with that disclosed in U.S.Pat. No. 10,944,723 entitled “Systems and Methods for Managing Endpointsand Security Policies in a Networked Environment” that was previouslyincorporated by reference. In particular, FIGS. 6-8 and thecorresponding discussion in the aforementioned incorporated referencedescribe one approach for monitoring network traffic that may be used inrelation to some embodiments discussed herein. Such monitoring relies,at least in part, on meta information such as, for example, source anddestination of the network traffic, the ports used for the networkcommunication, the protocol used for the communication, othercharacteristics regarding the application communication that are derivedfrom deep-packet inspection of the traffic.

Any scanners or incomplete workflows within the monitored networktraffic are identified (block 904). Such scanners are applications thatare run, for example, by an enterprise overseeing the network to scanthe workloads for vulnerabilities, workload imbalances, and the like. Insome cases, a scanner operates by trying to connect to every availableport to determine if the port is open. When a port is open, the scannerwill interact with the particular port to complete the communication.Alternatively, where a port is closed, only the scanner side of thecommunication is completed (i.e., no acknowledgement is sent back fromthe port) rendering it an incomplete workflow. Such incomplete workflowsare also found in, for example, malicious network access attempts wherea hacker is trying to identify open ports. In such attempts, a handshakerequest to a particular port is sent and where the port is open, anacknowledgement is sent back from the port. However, therequest/acknowledgment pair is not followed by any further activity andsuch communication with an open port is considered an incompleteworkflow. Based upon the disclosure provided herein, one of ordinaryskill in the art will recognize a variety of scanners and/or workflowsthat may be identified in accordance with different embodiments.

In addition to the possibility of malicious network activity, theaforementioned scanners are continuously making legitimate connectionsthroughout the network and scanning workloads, and as such any changesmade to the ZTNA policy needs to allow for the scanners to continueperforming their functions. As the workload traffic is monitored inblock 902, the scanner traffic appears to be network traffic and islogged and if not removed from the network traffic appears to be trafficthat would otherwise be combined as traffic for a particularapplication. In some embodiments, the scanners have identifiablesignatures and/or are known and thus can be identified within themonitored network traffic. Based upon the disclosure provided herein,one of ordinary skill in the art will recognize a variety of processesfor distinguishing scanner traffic from other network traffic. Suchscanner traffic workloads and incomplete workloads make the networktraffic more complicated to gather into identifiable applications asevery element of the network appears to be communicating with everyother element of the network making it appear to be a big mesh ofnetwork traffic rather than network traffic that can be gathered intoseparately distinguishable applications. To address this, the workloadsassociated with the identified scanners and incomplete workflows areremoved from the monitored network traffic (i.e., the network trafficfrom block 902) leaving only application specific network traffic (block906). It is noted that while this embodiment is described as gatheringmonitored network traffic and subsequently removing scanner workloadsand any incomplete workflows from the network traffic, that in otherembodiments such scanner workloads and/or incomplete workflows may befiltered out during the network traffic monitoring (i.e., the networktraffic monitoring in block 902) thus leaving only the applicationspecific network traffic.

Similar workloads in the application specific network traffic aregrouped together into application tiers (block 908). The similarity ofthe workloads may be identified based upon any number of commonality inmetadata about the workloads. For example, all workloads from aparticular endpoint or to a particular endpoint may be grouped. Asanother example, all workloads from a particular endpoint on aparticular port may be grouped. As yet another example, all workloads toa particular endpoint and having an attached file may be grouped. Basedupon the disclosure provided herein, one of ordinary skill in the artwill recognize a variety of basis upon which workloads may be consideredsimilar to other workloads, and grouped together as similar workloads.

The identified similar workloads are grouped together into applicationtiers based upon which application with which they are associated (block910). In some embodiments, such identification of applications andcorresponding workloads may be done in accordance with that disclosed inU.S. Pat. No. 10,944,723 entitled “Systems and Methods for ManagingEndpoints and Security Policies in a Networked Environment” that waspreviously incorporated by reference. In particular, FIGS. 9-11 and thecorresponding discussion in the aforementioned incorporated referencedescribe one approach for transforming network communication metadatacollected as part of a network traffic monitoring process, and using thetransformed metadata for network identification (e.g., classification)processes. As just one example, the workloads for an application may beidentified in three tiers (i.e., a web tier, an application tier, and adatabase tier) similar to that shown for Application A of ACL 410 ofFIG. 4B.

Having grouped the similar workloads together (block 910), each of thegroups of workloads is analyzed to determine a suggested intent of theworkload (block 912). Such intent may be discerned, for example, basedupon a destination of the workload. As a particular, example, where theworkload is destined for a ticketing application the suggested workloadintent may be “ticking request”. As another example, where the workloadis destined for a credit card processing service the suggested workloadintent may be “CC payment”. Based upon the disclosure provided herein,one of ordinary skill in the art will recognize a variety of suggestedintents that may be determined based upon metadata corresponding to agroup of workloads. Further, in some embodiments, the process isoverseen by a network administrator who may choose to override anautomatically determined suggested intent and input their own intent forthe group. The suggested intents are reduced to labels that areassociated with the respective groups of workloads (block 914). Suchlabeling of the groups of workloads results in an abstraction of theworkloads, and all workloads under that label can be treated with thesame intent based workload rule. As an example of such an intent basedworkload rules, it may be that all “CC payment” workloads are allowed.In such an example, the “CC payment” workloads would have beenpreviously defined and grouped to include all workloads from a discreteset of endpoints and/or applications within the network.

Additionally, ports are consolidated into ranges of ports where multipleports are used for a particular application (block 916). Suchconsolidation into ranges allows for access control rules that covermultiple ports in place of multiple access control rules each directedat individual ports. As an example, certain services such as the domainname service (DNS) runs on port 53. In such cases it is a single portand the rule in the access control list is easily defined. However,other examples use multiple dynamically assigned ports. In such cases,all of the ports are included in the access control rule for theparticular service and/or application.

As a particular example, the file transfer protocol (FTP) negotiate forports to use and as a result of the negotiation a range of ports areopened. FTP then picks any port within the range of opened ports toperform its function for a first communication, and then FTP may pickanother port within the range of open ports to perform its function fora subsequent communication. In such a case, it is the entire range ofopen ports that are treated by a single access control rule rather thanrequiring a separate access control rule for all open ports in therange. In some embodiments, the workloads in the application specificnetwork traffic are considered to determine if they are associated witha service, application, and/or endpoint that uses dynamic port ranges.Where such is found, all of the workloads are represented by a singleaccess control rule covering the entire range of ports. Turning to FIG.10A, an access control list 1010 shows an example, access control rule(Rule 2) allowing for network traffic from FTP to an Application A overany port between 5000 and 5199.

As another particular example, an application may negotiate for a datachannel port and a control channel port. In such examples, the workloadassociated with the control channel port is investigated to determinewhich ports have been negotiated and assigned, and both the data channelport and the control channel port are included in a single accesscontrol rule. Turning to FIG. 10B, an access control list 1020 shows anexample, access control rule (Rule 2) allowing for network traffic froman Application B to an Application A over a control channel (i.e., port2000) and a data channel (i.e., port 2010). Based upon the disclosureprovided herein, one of ordinary skill in the art will recognize avariety of multi-port scenarios and mechanisms for identifying such thatcan be consolidated into a number of access control rules that is lessthan the number of access control rules that would be needed if everyport was treated individually.

Returning to FIG. 9 , a ZTNA policy is determined for the workloads thatinclude any consolidated port ranges (i.e., from block 916) and treatthe labeled groups of workloads (i.e., from block 914). In some cases,forming the ZTNA policy may be done by a network administrator manuallydefining an ACL indicating that one or more of the identified workloadsare allowable. Alternatively, forming the ZTNA policy may be done usingany of the automated approaches discussed herein.

It is determined if processing the most recent block of network traffic(i.e., network traffic recently assembled in block 902) resulted in anychange to the ZTNA policy (block 920). Where any changes resulted in theZTNA policy (block 920), the processes of blocks 902-920 are repeatedfor another block of network traffic where only workloads that were notpreviously considered are processed for inclusion in the ZTNA policyincluding the ACL.

Alternatively, where no changes were made to the ZTNA policy (block920), it is determined whether the ZTNA policy is complete (block 922).This may be determined, for example, by a network administrator. In somecases, the ZTNA policy will require some level of forward testing ormodifications. Where such is the case, forward testing is performed onthe ZTNA policy (block 926). The forward testing may be performed on theentire ACL of the ZTNA policy at once or may be done incrementally asdiscussed herein in relation to FIG. 2 . Alternatively, whether the ZTNApolicy is complete (block 922), the ZTNA policy is finalized anddeployed (block 924). Finalizing may include, for example, changing thedefault rule of the ACL included in the ZTNA policy form allow to blockas discussed in relation to other embodiments herein, and deploying theZTNA policy may include beginning operation of the network where anetwork security appliance uses the ACL to control what network trafficis allowed to pass to and from a secured network.

In conclusion, the present invention provides for novel systems,devices, and methods. While detailed descriptions of one or moreembodiments of the invention have been given above, variousalternatives, modifications, and equivalents will be apparent to thoseskilled in the art without varying from the spirit of the invention.Therefore, the above description should not be taken as limiting thescope of the invention, which is defined by the appended claims.

What is claimed is:
 1. A method for focused development of a zero trustnetwork access policy, the method comprising: accessing, by a processingresource, a focus list, wherein the focus list identifies at least onenetwork element; monitoring, by the processing resource, networkactivity to yield a set of network traffic; identifying, by theprocessing resource, a set of workloads in the set of network trafficthat are either sourced from any of the at least one network focus, ordestined to any of the at least one network element; and augmenting, bythe processing resource, an access control list to include one or moreworkload rules allowing the set of workloads.
 2. The method of claim 1,wherein the network element is selected from a group consisting of: anetwork endpoint, a network appliance, an application, and a port of anetwork appliance.
 3. The method of claim 1, wherein the set of networktraffic is a first set of network traffic, wherein the set of workloadsis a first set of workloads, the method further comprising: monitoring,by the processing resource, network activity to yield a second set ofnetwork traffic; identifying, by the processing resource, a second setof workloads in the second set of network traffic that are eithersourced from any of the at least one network focus, or destined to anyof the at least one network focus; identifying, by the processingresource, at least one workload in the second set of workloads that isnot in the first set of workloads; and augmenting, by the processingresource, the access control list to include the at least one workloadin the second set of workloads that is not in the first set ofworkloads.
 4. The method of claim 1, wherein the network element is afirst network element, the method further comprising: identifying, bythe processing resource, a second network element that is either thesource of a workload in the set of workloads or a destination of aworkload in the set of workloads; and augmenting, by the processingresource, the focus list to include the second network element.
 5. Themethod of claim 4, wherein the set of network traffic is a first set ofnetwork traffic, wherein the set of workloads is a first set ofworkloads, the method further comprising: monitoring, by the processingresource, network activity to yield a second set of network traffic;identifying, by the processing resource, a second set of workloads inthe second set of network traffic that are either sourced from any ofthe at least one network focus, or destined to any of the at least onenetwork element; and identifying, by the processing resource, at leastone workload in the second set of workloads that is not in the first setof workloads; and augmenting, by the processing resource, the accesscontrol list to include the at least one workload in the second set ofworkloads that is not in the first set of workloads.
 6. The method ofclaim 1, the method further comprising: identifying, by the processingresource, a first application associated with two or more workloads inthe set of workloads, and a second application associated with two ormore other workloads in the set of workloads; wherein augmenting, by theprocessing resource, the access control list to include one or moreworkload rules allowing the set of workloads is an incrementalmodification, and wherein the incremental modification includes:augmenting, by the processing device, the access control list to includefirst workload rules corresponding to the two or more workloadsassociated with the first application to yield a first augmented accesscontrol list; forward testing, by the processing device, the firstaugmented access control list; subsequent to forward testing the firstaugmented access control list, augmenting, by the processing device, thefirst access control list to include second workload rules correspondingto the two or more workloads associated with the second application toyield a second augmented access control list; and forward testing, bythe processing device, the second augmented access control list.
 7. Themethod of claim 6, wherein the access control list includes a defaultrule that allows any network traffic between any source and anydestination, and wherein the forward testing the first augmented accesscontrol list comprises: applying the first workload rules; and applyingthe default rule after the first workload rules.
 8. The method of claim6, wherein the access control list includes a default rule that allowsany network traffic between any source and any destination, and whereinthe forward testing the second augmented access control list comprises:applying the first workload rules; applying the second workload rules;and applying the default rule after applying all of the first workloadrules and the second workload rules.
 9. The method of claim 1, whereinthe access control list includes a default rule that allows any networktraffic between any source and any destination.
 10. The method of claim9, the method further comprising: modifying, by the processing resource,the default rule to block any network traffic between any source and anydestination.
 11. A network appliance, the network appliance comprising:a processing resource; a non-transitory computer-readable medium,coupled to the processing resource, having stored therein instructionsthat when executed by the processing resource cause the processingresource to: access a focus list, wherein the focus list identifies atleast one network element; monitor network activity to yield a set ofnetwork traffic; identify a set of workloads in the set of networktraffic that are either sourced from any of the at least one networkfocus, or destined to any of the at least one network element; andaugment an access control list to include one or more workload rulesallowing the set of workloads.
 12. The network appliance of claim 11,wherein the network element is selected from a group consisting of: anetwork endpoint, a network appliance, an application, and a port of anetwork appliance.
 13. The network appliance of claim 11, wherein theset of network traffic is a first set of network traffic, wherein theset of workloads is a first set of workloads, and wherein theinstructions that when executed by the processing resource cause theprocessing resource further to: monitor network activity to yield asecond set of network traffic; identify a second set of workloads in thesecond set of network traffic that are either sourced from any of the atleast one network focus, or destined to any of the at least one networkfocus; identify at least one workload in the second set of workloadsthat is not in the first set of workloads; and augment the accesscontrol list to include the at least one workload in the second set ofworkloads that is not in the first set of workloads.
 14. The networkappliance of claim 11, wherein the network element is a first networkelement, and wherein the instructions that when executed by theprocessing resource cause the processing resource further to: identify asecond network element that is either the source of a workload in theset of workloads or a destination of a workload in the set of workloads;and augment the focus list to include the second network element. 15.The network appliance of claim 11, wherein the set of network traffic isa first set of network traffic, wherein the set of workloads is a firstset of workloads, and wherein the instructions that when executed by theprocessing resource cause the processing resource further to: monitornetwork activity to yield a second set of network traffic; identify asecond set of workloads in the second set of network traffic that areeither sourced from any of the at least one network focus, or destinedto any of the at least one network element; identify at least oneworkload in the second set of workloads that is not in the first set ofworkloads; and augment the access control list to include the at leastone workload in the second set of workloads that is not in the first setof workloads.
 16. The network appliance of claim 11, wherein the accesscontrol list includes a default rule that allows any network trafficbetween any source and any destination.
 17. The network appliance ofclaim 16, and wherein the instructions that when executed by theprocessing resource cause the processing resource further to: modify thedefault rule to block any network traffic between any source and anydestination.
 18. A non-transitory computer-readable storage mediumembodying a set of instructions, which when executed by a processingresource, causes the processing resource to: access a focus list,wherein the focus list identifies at least one network element; monitornetwork activity to yield a set of network traffic; identify a set ofworkloads in the set of network traffic that are either sourced from anyof the at least one network focus, or destined to any of the at leastone network element; and augment an access control list to include oneor more workload rules allowing the set of workloads.
 19. Thenon-transitory computer-readable storage medium of claim 18, wherein thenetwork element is selected from a group consisting of: a networkendpoint, a network appliance, an application, and a port of a networkappliance.
 20. The non-transitory computer-readable storage medium ofclaim 18, wherein the set of network traffic is a first set of networktraffic, wherein the set of workloads is a first set of workloads, andwherein the instructions that when executed by the processing resourcecause the processing resource further to: monitor network activity toyield a second set of network traffic; identify a second set ofworkloads in the second set of network traffic that are either sourcedfrom any of the at least one network focus, or destined to any of the atleast one network focus; identify at least one workload in the secondset of workloads that is not in the first set of workloads; and augmentthe access control list to include the at least one workload in thesecond set of workloads that is not in the first set of workloads.